imx-drm: imx-drm-core: improve safety of imx_drm_add_crtc()
authorRussell King <rmk+kernel@arm.linux.org.uk>
Mon, 16 Dec 2013 12:39:31 +0000 (12:39 +0000)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 18 Dec 2013 01:12:55 +0000 (17:12 -0800)
We must not add more CRTCs than we have declared to the vblank
helpers, otherwise we overflow their arrays.  Force failure if we
exceed the number of CRTCs.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Acked-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/staging/imx-drm/imx-drm-core.c

index 19e431dee493eeb3f1e03b9c08de4b7be162b79e..96e4eee344ef602174acec2ce27cf57bfb0ce128 100644 (file)
@@ -501,6 +501,15 @@ int imx_drm_add_crtc(struct drm_crtc *crtc,
 
        mutex_lock(&imxdrm->mutex);
 
+       /*
+        * The vblank arrays are dimensioned by MAX_CRTC - we can't
+        * pass IDs greater than this to those functions.
+        */
+       if (imxdrm->pipes >= MAX_CRTC) {
+               ret = -EINVAL;
+               goto err_busy;
+       }
+
        if (imxdrm->drm->open_count) {
                ret = -EBUSY;
                goto err_busy;